CVE-2018-18529

Vulnerability

ThinkPHP 3.2.4 (and ThinkPHP 5 prior to 5.1.25) contains a SQL injection vulnerability in the Library/Think/Db/Driver/Mysql.class.php file. The parseKey function mishandles the key variable when processing aggregate query functions such as count [1]. Affected versions include ThinkPHP 3.x before 3.2.4 and ThinkPHP 5.x before 5.1.25 [2]. The vulnerability is triggered when the count parameter is controllable by the attacker (e.g., via $_GET['count']) and is passed directly to the count() method of the database query builder without proper sanitization or parameterized queries [2].

Exploitation

An attacker can exploit this vulnerability by sending an HTTP request with a malicious payload in the count parameter. For example, a request like http://localhost/?count=id,(select sleep(5)),(username causes a 5-second delay, indicating successful injection [2]. The attacker does not need authentication or special privileges if the application exposes the vulnerable parameter. The injection occurs because the $field value is incorporated into the SQL query without being passed through a prepared statement with placeholders; instead, it is directly concatenated into the aggregate clause [2]. By crafting input that closes the backtick pair and injects arbitrary SQL (e.g., subqueries for blind SQL injection), an attacker can extract data or perform other database operations [2].

Impact

Successful exploitation allows an attacker to perform arbitrary SQL injection. Depending on the database configuration and privileges, the attacker can read, modify, or delete sensitive data from the database, potentially leading to complete compromise of the application's data integrity and confidentiality [1][2]. Since the injection does not require a backquote character in the URI, and the vulnerability is reachable through user-controlled input to aggregate functions, the impact can be severe, especially in applications that directly pass user input to count(), sum(), or other aggregate methods [2].

Mitigation

The fix for ThinkPHP 3.x is to upgrade to version 3.2.4 or later [1]. For ThinkPHP 5.x, upgrade to version 5.1.25 or later [2]. If upgrading is not immediately possible, developers should ensure that user input is never passed directly to aggregate query functions; instead, only whitelisted or strictly validated values should be used. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of publication.